What's Missing?

What's missing from this picture is, to hearken back to the XWindow team's
observation, a religion. Linux and UNIX have several tools and processes that
may be applied (policy) but almost none that must be applied
(religion). In order to both play in and compete in the enterprise directory
space, the Linux/UNIX community needs to come up with three things:

A unified set of PAM modules that provide the glue so that workstations and
servers can fully operate with Active Directory without the use of third-party
products. Right now, most Linux distributions ship with the ability to get
login information from an LDAP directory, but login data only accounts for a
small part of AD's available metadata and resource and access controls. Adding
more access modules that allow Linux to have more complete native access to AD
will get it on more desktops and more servers in sites that are right now stuck
with Windows systems.

Changes to glibc and the kernel that enforce compartmentalized security and
mandatory access controls. I believe that some of these features will be part
of the 2.6 kernel, but a really complete implementation can, again, be seen in
the NSA's SELinux.

A unified set of metadata and services that map directly to those supported
by Active Directory so that the open source community can develop and deploy a
native enterprise directory service on the scale of Active Directory.

In order to meet AD on its own turf (so that Linux can seamlessly integrate
today) and do what AD does, but do it better and more cost-effectively, all of
these services must be able to be driven by LDAP and secured through
Kerberos.

The most interesting part of this story is that 95% of the hard work has
already been done! Microsoft didn't invent totally new LDAP schemas to make
Active Directory as comprehensive as it is &mdash as usual, they embraced and
extended the work of others. LDAP schemas already exist, and are publicly
available to cover:

Of course, Microsoft's own schemas are available for perusal on any Active
Directory server (or, if you happen to have a Macintosh OS X box, look in
/etc/openldap, for all of Microsoft's schemas are there).
Microsoft's schemas are interesting in that they allow us to determine where
they have deviated from the published standards (notably in ACL information in
Kerberos extensions, which was the point of some heated debate back in
1998-1999).

Finally, we (the Linux community, in particular) tend to think that a lot of
what we're doing is new, but the MIT Athena project had done a lot of this way
back in the late '80s and early '90s. They did it across multiple versions of
UNIX (AIX, Ultrix, SunOS, and several others).

Where Do We Go From Here?

There are two directions that Linux and UNIX must go in simultaneously in
order to get up to speed in this important area of integration:

At the Workstation Level

Take the ACL code and other security hooks from the NSA's Security Enhanced
Linux (SELinux) and use them as the platform into which PAM modules can be used
to tie Linux into AD (and eventually a native Linux directory). SELinux
enforces MACs (Mandatory Access Controls) in the system — some people
will bridle at the thought of adding such potentially draconian security into
what is a very friendly OS, but the addition of such security controls will
only help the community write better software that only uses a privilege where
it's needed, and not just because someone didn't take the time to code a correct
solution. It will also help cut down on potential security breaches down the
road.

At the Enterprise Level

First and foremost, Linux vendors need to ship fully configured LDAP and
Kerberos servers with their distributions with full-fledged database back ends,
not just a DBM-style library, as is currently the case. The single hardest part
of either of these systems is the setup. Wizards need to be provided (the
existing ones in most distributions are dreadfully inadequate) that make the
configuration of parameters simple and activate available schemas without
forcing the administrator to become either an expert in LDAP or Kerberos.

Next, from the perspective of making a Linux enterprise directory AD
compatible, is frankly to dissect Active Directory's schema and implement the
proprietary bits under Linux. When Microsoft does such things they call it
"embrace and extend" because they usually take an open standard and add some
proprietary extension to make it non-portable and lock in their customers, as
they did with their extensions to Kerberos. I would suggest we take a page
from their playbook but call it "enhance and open." As long as this is not
done with internal Microsoft documents that are subject to NDAs, this should
not be a problem. (Hint: the information was reverse-engineered long ago and is
readily available).

LDAP and Active Directory Tools/Notes:

There are several tools already out there that make setting up and
administering LDAP a bit easier. Here are some of the most complete: